Date: Thu, 9 Nov 2006 13:26:03 +0100 (CET) From: Oliver Fromme <olli@secnetix.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Oliver Fromme <olli@secnetix.de> Subject: bin/105334: Error in output of tcpdump Message-ID: <200611091226.kA9CQ3Sq027243@pluto.secnetix.de> Resent-Message-ID: <200611091230.kA9CUXmJ044451@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 105334 >Category: bin >Synopsis: Error in output of tcpdump >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 09 12:30:31 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Oliver Fromme >Release: FreeBSD 6.2-PRERELEASE i386 >Organization: secnetix GmbH & Co. KG http://www.secnetix.de/bsd >Environment: System: FreeBSD hostname 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0: Wed Nov 8 19:08:42 CET 2006 root@hostname:/localdisk/usr/obj/localdisk/usr/src/sys/MYSMP i386 RELENG_6 sources synced November 8th. >Description: While trying to debug a problem with NFS mounts via TCP, I used the following tcpdump(1) command to watch traffic on lo0. Note that some (but not all) of the port numbers are wrong: 127.0.0.1.2714894848 > 127.0.0.1.2049 127.0.0.1.2049 > 127.0.0.1.3251765760 127.0.0.1.982 > 127.0.0.1.2049 127.0.0.1.982 > 127.0.0.1.2049 127.0.0.1.2049 > 127.0.0.1.982 127.0.0.1.1054278144 > 127.0.0.1.2049 127.0.0.1.2049 > 127.0.0.1.981 127.0.0.1.981 > 127.0.0.1.2049 127.0.0.1.98828800 > 127.0.0.1.2049 127.0.0.1.2049 > 127.0.0.1.652476928 127.0.0.1.981 > 127.0.0.1.2049 127.0.0.1.981 > 127.0.0.1.2049 127.0.0.1.2049 > 127.0.0.1.981 Port numbers are 16 bit, so 65535 is the maximum value. Obviuously there is a problem with displaying those numbers in tcpdump. In case it matters: IPF is present, but disabled, and IPFW only contains the default rule that allows anything. The machine is dual-CPU with hyperthreading, i.e. four processors are detected during boot, but only two of them are used because machdep.hyperthreading_allowed=0. The problem does not depend on lo0 or TCP: I've seen the same problem when tcpdumping UDP NFS traffic on a vlan interface (parent was a bge(4) NIC). But only NFS seems to be affected: I don't see the problem with SSH traffic. The tcpdump options don't matter: I see the problem with a plain "tcpdump -i <interface>", too. # tcpdump -i lo0 -n -l -s 1600 -v -v -v tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 1600 bytes 12:42:04.184960 IP (tos 0x0, ttl 64, id 15273, offset 0, flags [DF], proto: TCP (6), length: 64) 127.0.0.1.2714894848 > 127.0.0.1.2049: 0 proc-1157627968 12:42:04.184993 IP (tos 0x0, ttl 64, id 15274, offset 0, flags [DF], proto: TCP (6), length: 64) 127.0.0.1.2049 > 127.0.0.1.3251765760: reply ERR 0 12:42:04.185025 IP (tos 0x0, ttl 64, id 15275, offset 0, flags [DF], proto: TCP (6), length: 52) 127.0.0.1.982 > 127.0.0.1.2049: ., cksum 0xaefb (correct), 2592483171:2592483171(0) ack 2258073171 win 35840 <nop,nop,timestamp 5880112 5880112> 12:42:04.185075 IP (tos 0x0, ttl 64, id 15276, offset 0, flags [DF], proto: TCP (6), length: 52) 127.0.0.1.982 > 127.0.0.1.2049: F, cksum 0xaefa (correct), 0:0(0) ack 1 win 35840 <nop,nop,timestamp 5880112 5880112> 12:42:04.185099 IP (tos 0x0, ttl 64, id 15277, offset 0, flags [DF], proto: TCP (6), length: 52) 127.0.0.1.2049 > 127.0.0.1.982: ., cksum 0xaefa (correct), 1:1(0) ack 1 win 35840 <nop,nop,timestamp 5880112 5880112> 12:42:05.186138 IP (tos 0x0, ttl 64, id 15456, offset 0, flags [DF], proto: TCP (6), length: 64) 127.0.0.1.1054278144 > 127.0.0.1.2049: 0 proc-1157627956 12:42:05.186174 IP (tos 0x0, ttl 64, id 15457, offset 0, flags [DF], proto: TCP (6), length: 52) 127.0.0.1.2049 > 127.0.0.1.981: ., cksum 0x0a93 (correct), 3949479685:3949479685(0) ack 1347601746 win 35840 <nop,nop,timestamp 5881112 5034112> 12:42:05.186187 IP (tos 0x0, ttl 64, id 15458, offset 0, flags [DF], proto: TCP (6), length: 40) 127.0.0.1.981 > 127.0.0.1.2049: R, cksum 0x9063 (correct), 1347601746:1347601746(0) win 0 12:42:08.189411 IP (tos 0x0, ttl 64, id 15990, offset 0, flags [DF], proto: TCP (6), length: 64) 127.0.0.1.98828800 > 127.0.0.1.2049: 0 proc-1157627968 12:42:08.189445 IP (tos 0x0, ttl 64, id 15991, offset 0, flags [DF], proto: TCP (6), length: 64) 127.0.0.1.2049 > 127.0.0.1.652476928: reply ERR 0 12:42:08.189478 IP (tos 0x0, ttl 64, id 15992, offset 0, flags [DF], proto: TCP (6), length: 52) 127.0.0.1.981 > 127.0.0.1.2049: ., cksum 0x44f1 (correct), 888257620:888257620(0) ack 3935299000 win 35840 <nop,nop,timestamp 5884112 5884112> 12:42:08.189532 IP (tos 0x0, ttl 64, id 15993, offset 0, flags [DF], proto: TCP (6), length: 52) 127.0.0.1.981 > 127.0.0.1.2049: F, cksum 0x44f0 (correct), 888257620:888257620(0) ack 3935299000 win 35840 <nop,nop,timestamp 5884112 5884112> 12:42:08.189556 IP (tos 0x0, ttl 64, id 15994, offset 0, flags [DF], proto: TCP (6), length: 52) 127.0.0.1.2049 > 127.0.0.1.981: ., cksum 0x44f0 (correct), 3935299000:3935299000(0) ack 888257621 win 35840 <nop,nop,timestamp 5884112 5884112> >How-To-Repeat: Use the above tcpdump with some NFS traffic, and watch the port numbers. >Fix: unknown >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200611091226.kA9CQ3Sq027243>